The Basics of Input Validation in Cyber Security
HTML-код
- Опубликовано: 7 фев 2025
- The lack of input validation is the primary cause of many web application including SQL injection (SQLi), Cross-Site Scripting (XSS), and other attacks depicted in the OWASP Top 10 and beyond.
The root of this problem is in application not validating or incorrectly validating user input that affects the users of the application.
Improper input validation is used by attackers to bypass security measures such as authentication and authorization controls. It is also used to inject malicious code into the web application which then can be executed by the server or client.
On your screen, you will see an example of improper input validation.
We pass user input straight into a database, and once that's done, we return the provided value to the user as well.
In other words, we open our application to two types of web application attacks - SQL Injection and Cross-Site Scripting.
From there, depending on the architecture of our product or application, both of those attacks can take different forms - SQL injection (SQLi) can be blind, classic, or out-of-band, and Cross-Site Scripting (XSS) can be either reflected, stored, or DOM-based.
Having knowledge of the code behind the application, an attacker can now mount one or both of those attacks against it and steal data in a database using SQL injection, steal session cookies and impersonate a user by utilizing Cross-Site Scripting (XSS), or do other things by utilizing attacks like Cross-Site Request Forgery (CSRF), or other attacks.
Neither of those outcomes don't mean anything good for your MySQL or MariaDB database and your application and php user input validation will be our first step to a more secure future. Here's how to do it.
The first prerequisite for validating user input in php is to consider the use case of your application. The use case of your application will steer you in a direction that makes you understand what kind of attacks it may be susceptible to. Then, perform php user input validation by using functions built-in to your programming language, writing custom code or by using software that does it for you. Here are a couple of examples.
You can validate email addresses or URLs by using PHP validation form functions like filter_var. The PHP validation form FILTER_VALIDATE_EMAIL function will ensure that the email is indeed an email, and the PHP validation form FILTER_VALIDATE_URL function will ensure that a link is indeed a URL. There are other PHP filters and ways to protect from different attacks directed at web applications.
SQL injection (SQLi) can be mitigated by using prepared statements or PHP Data Objects since they will ensure that user input does not get passed into a database query, and thus, prevent malicious SQL code from executing, thus preventing SQL injection.
Cross-Site Scripting, or XSS, can be mitigated by either not making user input visible or wrapping it in functions like htmlspecialchars or htmlentities.
Cross-Site Request Forgery (CSRF) can be mitigated by adding a CSRF token into your form and checking for CSRF token mismatch upon PHP form submission.
To perform a regular expression check, one can use the php function preg_match.
To replace portions of an input string based on a regular expression, one can use the php function preg_replace.
Finally, to return the length of a string, use the php function strlen. Then, act on it and build a validation function or two.
So, to recap, php input validation can be done by using php input validation functions we've just discussed, functions you build yourself based on your use case, using firewalls that detect and block malicious input, and also common sense.
All of those things should make your application and database more secure.
Subscribing to channels like this one is also a good idea - that way, you will be able to watch videos and improve the security posture of your application even further. I hope you've enjoyed this video and found it useful or entertaining, and until next time.
Music:
Dreaming Journey II by GalaxyTones: / galaxytones
Creative Commons - Attribution 3.0 Unported - CC BY 3.0
Free Download / Stream: www.audiolibra...
Music promoted by Audio Library: • Dreaming Journey II - ...
#security #php #development #coding #programming #database #developer
![BLACK BAG - Official Trailer [HD] - Only in Theaters March 14](http://i.ytimg.com/vi/Du0Xp8WX_7I/mqdefault.jpg)
